Data breach notifications one step closer to law… again

It's frustrating to be a consumer these days, especially knowing that your …

Every time there's a major data breach in retail or government, there's a chorus of frustrated customers trying to find out whether their information was exposed to would-be identity thieves. The problem is that it's near impossible to find out this information unless the organization in question takes the initiative to notify customers with exposed data. This, quite frankly, happens very slowly.

In response to this annoying trend, members of Congress have introduced legislation that would require organizations to notify customers when their information is no longer secure. None have passed as of yet—interest in such bills peaks when data breaches happen and wanes with the next news cycle—but there are currently two bills making their way through the system that show some promise.

The first and more important of the two is Senate bill 139 (S. 139), also known as the Data Breach Notification Act. Introduced by Senator Dianne Feinstein (D-CA), the bill would require companies engaged in interstate commerce as well as Federal agencies to disclose breaches of personally identifiable information directly to the victims. This would include any business that uses, accesses, transmits, stores, or even disposes of such information—if your data is compromised any time along the way, you, law enforcement, and credit reporting agencies would have to be notified.

So what's the catch? For one, the time frame for these notifications is, unfortunately, not specified. Instead, the bill says that they should be made "without unreasonable delay" following the discovery of the breach, and a "reasonable delay" is defined as the time it takes to determine the scope of the breach, restore the system, talk to law enforcement, and prevent further breaches. As we know from past high-profile security breaches (such as The Great TJX Breach of 2007 or the more recent Albert Gonzales-gate), all of these elements can significantly lengthen the time it takes for a company to even go public with the breach in the first place, with even more time required after that to fully realize the reasons and extent of the data loss.

Additionally, businesses can claim exemption from the bill if they conclude that there's no significant risk as a result of the breach. The two examples laid out in the bill include encrypted data or data that was "rendered indecipherable through the use of best practices or methods, such as redaction, access controls, or other such mechanisms." As pointed out by security research firm Kaspersky Lab, this particular element of the Data Breach Notification act is generating criticism among security experts. Not only does "other such mechanisms" encompass a huge number of technologies, but "simply encrypting data does not render it useless."

The second bill, Personal Data Privacy and Security Act (S. 1490), largely focuses on punishing entities for not disclosing data breaches. The bill states that anyone with knowledge of a security breach who is not exempt cannot conceal that information without a fine or a five-year jail sentence, or both. The fines can range from $1,000 per violation per day up to a maximum of $250,000 per violation as long as the violations persist.

S. 1490 acts more as a complement to S. 139 than anything—it's not nearly as interesting on its own. And despite the shortfalls in S. 139, consumer advocates are holding out hope that something—anything—is better than nothing when it comes to keeping people informed.